Though the potential threat may be small, AT&T servers leaked untold numbers …

Share this story

At least 114,000 e-mails addresses and ICC-IDs were leaked by a security hole in AT&Ts servers, according to a Valleywag report. The e-mail addresses of numerous government and military officials as well as many Fortune 500 CEOs were among those revealed in the leak.

A group calling itself "Goatse Security" revealed the flaw to Valleywag after it had used the flaw to harvest thousands of e-mail addresses. AT&T has since closed the hole, but the group said that the flaw may have been exploited by other hackers who knew how the flaw worked before AT&T fixed it.

A script on AT&T's servers was designed to return an iPad 3G user's e-mail address when presented with a unique ICC-ID—a serial number embedded in the microSIM that identifies a particular iPad to AT&T's cellular network. Goatse Security then guessed a range of valid ICC-ID numbers from some that had been published online (available in screenshots of the Settings app, for instance), and used those to mine AT&T's servers for e-mail addresses.

University of Virginia computer science PhD Karsten Nohl, who is familiar with the inner workings of the GSM protocol, told Valleywag that "the disclosure of the ICC-ID has no direct security consequences." Furthermore, as Gizmodo noted, the worst consequences of this particular leak are most likely increased spam sent to or spoofed as coming from a particular e-mail address. However, it's not entirely unreasonable to suspect that hackers might attempt to crack into some of the e-mail accounts revealed, which include officials from the FCC, FAA, NASA, and the Army.

While the security threat to iPad 3G users is quite low, the breach nonetheless must be quite embarrassing for AT&T as well as Apple. Apple did not respond to our request for comment but AT&T spokesperson Seth Bloom told Ars that the company takes customer privacy seriously, and worked quickly to rectify the problem as soon as it became aware of the issue.

"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC-IDs," Bloom said, noting that Goatse Security did not reveal the flaw to AT&T. "This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC-IDs may have been obtained."